<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Sorry about that. Here’s the info:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>When I run <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>the
command you gave me below, I get this:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>root@gatekeeper:/home/administrator#
iptables -t filter -L -n -v<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Chain
INPUT (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> pkts
bytes target prot opt in
out
source
destination <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Chain
FORWARD (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> pkts
bytes target prot opt in
out
source
destination <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Chain
OUTPUT (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> pkts
bytes target prot opt in
out
source
destination <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>root@gatekeeper:/home/administrator#
iptables -t nat -L -n -v<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Chain
PREROUTING (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> pkts
bytes target prot opt in
out
source destination
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Chain
POSTROUTING (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> pkts
bytes target prot opt in
out
source
destination <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Chain
OUTPUT (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> pkts
bytes target prot opt in
out
source
destination <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>root@gatekeeper:/home/administrator#
iptables -t mangle -L -n -v<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Chain
PREROUTING (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> pkts
bytes target prot opt in
out source destination
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Chain
INPUT (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> pkts
bytes target prot opt in
out
source
destination <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Chain
FORWARD (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> pkts
bytes target prot opt in
out source destination
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Chain
OUTPUT (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> pkts
bytes target prot opt in
out
source
destination <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Chain
POSTROUTING (policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> pkts
bytes target prot opt in
out source
destination <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>root@gatekeeper:/home/administrator#<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>I guess this is telling me that nothing
is blocked and there are no rules?<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>I am connecting through the
internet. My company is actually the ISP for other companies in our
building and the building next to us, so I am using a separate IP space outside
of our network to put the Linksys box and set up my test remote site. My
Linux server is using an IP in the same subnet as my Check Point firewall, but
it is going “around” the firewall. To help explain all of
this, I have thrown together a quick diagram of everything. You can
access it here: <a
href="http://www.imagehosting.com/show.php/1630007_OpenSwanDiagram.jpg.html">http://www.imagehosting.com/show.php/1630007_OpenSwanDiagram.jpg.html</a>.
If I have left something out, please let me know.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>The Ubuntu server and the
Linksys router do indeed have their own external IP addresses. Here is my
Linksys config: <a
href="http://www.imagehosting.com/show.php/1630052_linksyscfgPage1.jpg.html">http://www.imagehosting.com/show.php/1630052_linksyscfgPage1.jpg.html</a>
and <a
href="http://www.imagehosting.com/show.php/1630053_linksyscfgPage2.jpg.html">http://www.imagehosting.com/show.php/1630053_linksyscfgPage2.jpg.html</a>.
<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>I am hoping these pics look
OK. If you need me to provide additional information, please let me know.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Thanks again for all of your
help.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>-Chris<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Peter McGill
[mailto:petermcgill@goco.net] <br>
<b>Sent:</b> Friday, March 14, 2008 12:50 PM<br>
<b>To:</b> Chris Thomas; users@openswan.org<br>
<b>Subject:</b> RE: [Openswan Users] Getting there....<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Firewall was merely a place to check, not guaranteed to be the
problem.</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>If you can get a console on your Ubuntu, you can check firewall
with...</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>iptables -t filter -L -n -v</span><span style='font-size:12.0pt;
font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>iptables -t nat -L -n -v</span><span style='font-size:12.0pt;
font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>iptables -t mangle -L -n -v</span><span style='font-size:12.0pt;
font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Are you connecting through the internet, or are you testing
internally?</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Do both the Ubuntu server and linksys router have public internet
ip addresses?</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>(Not 172.16...172.32... or 10... or 192.168..., etc...)</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>I cannot tell as you completely edited them from your posts.</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Next time try just masking the end like: 66.11.x.x</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Testing internally sometimes needs different settings than
production internet.</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Is linksys using DES or 3DES? Should be 3DES & MD5 matching
your openswan.</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Can you show us your linksys ipsec configuration?</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Peter
McGill</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p>
</div>
<blockquote style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt;
margin-left:3.75pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'>
<hr size=2 width="100%" align=center>
</span></div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <b>On Behalf Of </b>Chris Thomas<br>
<b>Sent:</b> March 14, 2008 12:19 PM<br>
<b>To:</b> users@openswan.org<br>
<b>Subject:</b> Re: [Openswan Users] Getting there....</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>OK, I have hit a brick wall
here and it’s getting a bit frustrating. I have disabled the Linux
firewall and the Shoreline firewall on my server and I’m still getting
the same error below when I attempt to establish the tunnel. Is this
absolutely positively due to a firewall issue or is it possible that I’ve
got something else incorrectly configured somewhere? I am fairly new to
Linux so I am administering my Ubuntu server with Webmin. That is what I
am using to verify that the firewall(s) are turned off. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>I have also disabled the
firewall on the Linksys box and have examined it’s logs. This is
what shows up after I hit “connect” to initiate the tunnel:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 14 09:33:34 - [VPN Log]:
"pax_square" #2: initiating Main Mode<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 14 09:33:43 - [VPN Log]:
initiate on demand from 192.168.36.100:0 to 192.168.0.30:0 proto=0 state:
fos_start because: acquire<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 14 09:34:44 - [VPN Log]:
"pax_square" #2: max number of retransmissions (2) reached
STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 14 10:08:54 - [VPN Log]:
"pax_square" #3: initiating Main Mode<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 14 10:10:04 - [VPN Log]:
"pax_square" #3: max number of retransmissions (2) reached
STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 14 10:53:58 - [VPN Log]:
"pax_square" #4: initiating Main Mode<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 14 10:55:08 - [VPN Log]:
"pax_square" #4: max number of retransmissions (2) reached
STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>If it helps, this is my
ipsec.conf file on the Ubuntu server running OpenSwan:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>version 2.0
# conforms to second version of ipsec.conf specification<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>config setup<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
interfaces=%defaultroute<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
uniqueids=yes<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>include
/etc/ipsec.d/examples/no_oe.conf<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>conn pax_square<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
also=central-site<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
right=%any<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
rightid=@pax_square<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
rightsubnet=192.168.36.0/24<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
also=linksys-policy<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
auto=add <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>conn central-site<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
left=(external IP of Linux server)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
leftsubnet=192.168.0.0/24<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
leftsourceip=192.168.0.20<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>conn linksys-policy<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'> ike=3des-md5-modp1024
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
esp=3des-md5
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
compress=no<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>
authby=secret </span><span style='font-size:10.0pt;
font-family:"Courier New"'><o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>If it’s definitely the firewall, I’ll go back to
the drawing board and see what I can see.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>As before, I appreciate the help and patience.<o:p></o:p></p>
<p class=MsoNormal>Thanks<o:p></o:p></p>
<p class=MsoNormal>-Chris<o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Peter McGill
[mailto:petermcgill@goco.net] <br>
<b>Sent:</b> Thursday, March 13, 2008 4:14 PM<br>
<b>To:</b> Chris Thomas; users@openswan.org<br>
<b>Subject:</b> RE: [Openswan Users] Getting there....<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Check your firewall(s) on both ends, and check the linksys logs.</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>You must allow ipsec (and ipsec encapsulated traffic) in your
firewalls.</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>protocol port description</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>17
500 udp:isakmp</span><span style='font-size:12.0pt;
font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>50 esp</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>You must allow the above inbound and outbound on your internet
interfaces.</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>You must also allow the subnet-to-subnet traffic.</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Peter
McGill</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p>
</div>
<blockquote style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt;
margin-left:3.75pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'>
<hr size=2 width="100%" align=center>
</span></div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <b>On Behalf Of </b>Chris Thomas<br>
<b>Sent:</b> March 13, 2008 4:06 PM<br>
<b>To:</b> users@openswan.org<br>
<b>Subject:</b> Re: [Openswan Users] Getting there....</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal>OK, I changed my Linksys box to 1024 bit and I now have
this:<o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Mar
13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: ignoring
unknown Vendor ID payload [4f4540454371496d7a684644]<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Mar
13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received
Vendor ID payload [Dead Peer Detection]<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Mar
13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received
Vendor ID payload [RFC 3947] meth=110, but port floating is off<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Mar
13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating
is off<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Mar
13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating
is off<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Mar
13 16:01:48 gatekeeper pluto[11850]: packet from (remote site IP):500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Mar
13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP)
#9: responding to Main Mode from unknown peer (remote site IP)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Mar
13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP)
#9: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Mar
13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP)
#9: STATE_MAIN_R1: sent MR1, expecting MI2<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Mar
13 16:02:28 gatekeeper pluto[11850]: "pax_square"[5] (remote site IP)
#7: max number of retransmissions (2) reached STATE_MAIN_R1<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Thanks<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>-Chris<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Peter McGill
[mailto:petermcgill@goco.net] <br>
<b>Sent:</b> Thursday, March 13, 2008 3:50 PM<br>
<b>To:</b> Chris Thomas; users@openswan.org<br>
<b>Subject:</b> RE: [Openswan Users] Getting there....<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>There is a mismatch in your options, specifically your DH/modp
Group.</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Diffie-Hellman (DH) Group needs to match openswan's ike=*-modp????</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>I'm guessing that your linksys is sending Diffie-Hellmen (DH) Group
1 (768-bit).</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Openswan will not allow this because it's too weak of security.</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>If you have ike=3des-md5-modp1024 or ike=aes-sha1-modp1024 as I
suggested,</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>then change your linksys to use Group 2 (1024-bit) to match it.</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Peter
McGill</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p>
</div>
<blockquote style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt;
margin-left:3.75pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>
<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'>
<hr size=2 width="100%" align=center>
</span></div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <b>On Behalf Of </b>Chris Thomas<br>
<b>Sent:</b> March 13, 2008 3:40 PM<br>
<b>To:</b> users@openswan.org<br>
<b>Subject:</b> [Openswan Users] Getting there....</span><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Hello again, everyone.
I have configured my Linksys box to connect to my Ubuntu server running
OpenSwan, but when I attempt to initiate the connection, my logs on the server
at HQ get full of this stuff:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 13 15:31:54 gatekeeper
pluto[11850]: packet from (remote site external IP):500: ignoring unknown
Vendor ID payload [4f4540454371496d7a684644]<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 13 15:31:54 gatekeeper
pluto[11850]: packet from (remote site external IP):500: received Vendor ID
payload [Dead Peer Detection]<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 13 15:31:54 gatekeeper
pluto[11850]: packet from (remote site external IP):500: received Vendor ID
payload [RFC 3947] meth=110, but port floating is off<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 13 15:31:54 gatekeeper
pluto[11850]: packet from (remote site external IP):500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 13 15:31:54 gatekeeper
pluto[11850]: packet from (remote site external IP):500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 13 15:31:54 gatekeeper
pluto[11850]: packet from (remote site external IP):500: ignoring Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 13 15:31:54 gatekeeper
pluto[11850]: "pax_square"[1] (remote site external IP) #1: responding
to Main Mode from unknown peer (remote site external IP)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 13 15:31:54 gatekeeper
pluto[11850]: "pax_square"[1] (remote site external IP) #1: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
OAKLEY_GROUP_DESCRIPTION<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 13 15:31:54 gatekeeper
pluto[11850]: "pax_square"[1] (remote site external IP) #1: no
acceptable Oakley Transform<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 13 15:31:54 gatekeeper
pluto[11850]: "pax_square"[1] (remote site external IP) #1: sending
notification NO_PROPOSAL_CHOSEN to (remote site external IP):500<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>Mar 13 15:31:54 gatekeeper
pluto[11850]: "pax_square"[1] (remote site external IP): deleting
connection "pax_square" instance with peer (remote site external IP)
{isakmp=#0/ipsec=#0}<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>I am assuming that it has
something to do with the Preshared key that I am using, but I am not too sure
how to go about fixing it. I do not want to be a nuisance, but can anyone
give me a (another) push in the right direction? <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>I appreciate your patience.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt'>-Chris</span><o:p></o:p></p>
</blockquote>
</blockquote>
</blockquote>
</div>
</body>
</html>